CTunnel and the Palin breach

It seems like everyone and there twin sisters first cousin is blogging about the breach of Palin’s email accounts. I’ve resisted so far, but wanted to touch on the latest report from the BBC that says that FBI agents are investigation the breach. As part of the news story the use of the CTunnel tool was mentioned as the anonymous proxy service used by the “hacker”. It seems that the FBI is seeking records from the people behind CTunnel in connection to the investigation.

After a quick look at the CTunnel website, I found the following text in reference to the CTunnel logging and retention of data.

“Because our visitors value their privacy, it is not in our interests to spy on you, lest we lose traffic and advertising revenue. Because government subpenoa could require us to hand over our server access logs, access logs are regularly deleted to protect your privacy. In short, we value your browsing experience as well as your anonymity, and would not do anything to break your trust in us.”

It’s not specific from this what “regularly” means, and it will be interesting to see what legal ramifications come from the use of CTunnel in this breach. If the people behind CTunnel are forced to provide all logs related to the breach, I can see people moving away from the service for fear of future privacy issues. I would be much more comfortable if CTunnel had a specific written policy that details things a little better than just “regularly”. However I’m not a customer of the service, so it’s not for me to say. However if CTunnel truly “value your browsing experience as well as your anonymity” then I’d hope they have better in-house policies than the badly worded ones listed on their website.

14 responses to “CTunnel and the Palin breach”

This situation being used as an excuse for being a Luddite. When times are changing you have to expect people and conglomerates of people (aka governments) to change too. But some are willing to fight changes– any and all changes.

Maybe the conglomerate will change too much and need to be fought, but we can’t just blindly bulk at all changes.

The phrase “privacy invasion” is being used in the same way as “murder” is by the anti-abortion crowd.

This is true, however many small changes can easily group together to weaken your rights to privacy. Things like this are quick to occur, and people are slow to respond when their rights are threatened.

I’m not a privacy advocate by any means, but I would hate to see the US (and other like minded governments) continue down the road they’re currently on. There may be many different reasons for reviewing privacy laws, however hiding the changes behind the mask of terrorism or blaming a few bad eggs (i.e. Hackers) isn’t the way to make the changes needed. After all, policy in the US, UK, etc.. will ultimately impact on those of us in Central Europe.

“The whole attack seems very simple once you understand how it was done. No exploitation, no vulnerable services (in the strictest sense of the word), just good old fashioned research and luck that Yahoo’s password reset was badly implemented (or at least not as well implemented as we’d all like). All the information required for the reset is easy enough to find. When you add the fact that she’s “moderately” well known, then things just get so much easier.”

I think if you re-read my first comment, you’ll find that’s what I’m trying to say. This wasn’t a hack, it was somebody taking advantage of a badly designed password reset. Anyway, this has already been covered a thousand times. The mainstream news will continue to call this person a hacker, and those in the know will continue to argue that it wasn’t even a hack. Then again, that’s an arguement that will always rage.

Links

Disclaimer

The contents of this personal blog are solely my own opinions and comments, as such they do not reflect the opinions of my employer(s) past, present or future. No legal liability is accepted for anything you do, think, or consider fact as the basis of articles and links posted on this blog.

"Three to one...two...one...probability factor of one to one...we have normality, I repeat we have normality. Anything you still can’t cope with is therefore your own problem."

Note: A large portion of content I post on my blog comes from "live blogging" of security conferences. These posts are in notes form and are written live during a talk. As such errors and emissions are expected. I'm only human after all!